Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

Vieri Di Paola Fri, 10 Jul 2020 01:53:33 -0700

On Fri, Jul 10, 2020 at 3:20 AM Tom Eastep <teas...@shorewall.net> wrote:


> Clearly the firewall is dropping the replies, but I can see no reason
> why it should. You could try using 'shorewall iptrace' to try to
> understand where.

This is the trace I could get:

# grep -i trace /var/log/messages |grep 10.215.144.251
Jul 10 10:38:34 inf-fw1 kernel: TRACE: raw:PREROUTING:policy:13
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: mangle:PREROUTING:rule:1
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: mangle:PREROUTING:policy:24
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: mangle:FORWARD:rule:1 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: mangle:FORWARD:policy:2
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: filter:FORWARD:rule:3 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: filter:lan1_frwd:rule:3
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: filter:~comb266:rule:1 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: filter:dynamic:return:1
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: filter:~comb266:return:3
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST 10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:34 inf-fw1 kernel: TRACE: mangle:POSTROUTING:policy:1 IN=
OUT=lan.1 SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368
Jul 10 10:38:56 inf-fw1 kernel: TRACE: raw:PREROUTING:policy:13
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: mangle:PREROUTING:rule:1
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: mangle:PREROUTING:policy:24
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: mangle:FORWARD:rule:1 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: mangle:FORWARD:policy:2
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: filter:FORWARD:rule:3 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: filter:lan1_frwd:rule:3
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: filter:~comb266:rule:1 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: filter:dynamic:return:1
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: filter:~comb266:return:3
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST 10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:38:56 inf-fw1 kernel: TRACE: mangle:POSTROUTING:policy:1 IN=
OUT=lan.1 SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=21613 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27392
Jul 10 10:39:07 inf-fw1 kernel: TRACE: raw:PREROUTING:policy:13
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: mangle:PREROUTING:rule:1
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: mangle:PREROUTING:policy:24
IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: mangle:FORWARD:rule:1 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: mangle:FORWARD:policy:2
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: filter:FORWARD:rule:3 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: filter:lan1_frwd:rule:3
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: filter:~comb266:rule:1 IN=lan.1
OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: filter:dynamic:return:1
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: filter:~comb266:return:3
IN=lan.1 OUT=lan.1 MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00
SRC=10.215.246.24 DST 10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904
Jul 10 10:39:07 inf-fw1 kernel: TRACE: mangle:POSTROUTING:policy:1 IN=
OUT=lan.1 SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00
PREC=0x00 TTL=127 ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904

This is an updated dump:

https://drive.google.com/file/d/1ixZz0m7DaTDK54Wiu_sJMLUQxE7fjiVl/view?usp=sharing

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

Reply via email to